search

defenseunicorns / uds-core

A FOSS secure runtime platform for mission-critical capabilities
https://uds.defenseunicorns.com
GNU Affero General Public License v3.0
49 stars 21 forks source link

Document how to configure private PKI #593

Open rjferguson21 opened 3 months ago

rjferguson21 commented 3 months ago

Currently there is no global configuration for uds-core to configure trusted certificate bundles when using private PKI. As a stop-gap to an automated solution we should have a document that covers how each package needs to be configured to support private PKI.

Related to:

tworcester commented 2 months ago

I have had to do this recently and wanted to dump my notes here hoping that it will help! Some of these components are from the software factory as well.

All of the following assume you have a configmap named fizz-buzz with a key ca.pem

Grafana

extraConfigMapMounts:
  - name: ca-certs
    mountPath: /etc/ssl/certs/ca-certificates.crt
    configMap: fizz-buzz
    readOnly: true
    subPath: ca.pem
# This is from UDS, but because it was an array I needed to add it back by hand
  - name: auth-generic-oauth-secret-mount
    secretName: sso-client-uds-core-admin-grafana
    defaultMode: 0440
    mountPath: /etc/secrets/auth_generic_oauth
    readOnly: true

Loki

memcachedExporter:
  extraArgs:
    memcached.tls.ca.crt: <path>/ca.pem

backend:
  extraArgs:
    - -s3.http.ca-file=<path>/ca.pem
  extraVolumeMounts:
    - name: ca-certs
      mountPath: <path>
  extraVolumes:
    - name: ca-certs
      configMap:
        name: fizz-buzz
        defaultMode: 420

read:
  extraArgs:
    - -s3.http.ca-file=<path>/ca.pem
  extraVolumeMounts:
    - name: ca-certs
      mountPath: <path>
  extraVolumes:
    - name: ca-certs
      configMap:
        name: fizz-buzz
        defaultMode: 420

write:
  extraArgs:
    - -s3.http.ca-file=<path>/ca.pem
  extraVolumeMounts:
    - name: ca-certs
      mountPath: <path>
  extraVolumes:
    - name: ca-certs
      configMap:
        name: fizz-buzz
        defaultMode: 420

Velero

extraVolumes:
  - configMap:
      defaultMode: 420
      name: fizz-buzz
    name: ca-certs
extraVolumeMounts:
  - mountPath: /etc/ssl/cert.pem
    name: ca-certs
    subPath: ca.pem

configuration:
  extraVolumes:
    - configMap:
        defaultMode: 420
        name: fizz-buzz
      name: ca-certs
  extraVolumeMounts:
    - mountPath: /etc/ssl/cert.pem
      name: ca-certs
      subPath: ca.pem

nodeAgent:
  extraVolumes:
    - configMap:
        defaultMode: 420
        name: fizz-buzz
      name: ca-certs
  extraVolumeMounts:
    - mountPath: /etc/ssl/cert.pem
      name: ca-certs
      subPath: ca.pem

Gitlab-runner

runners:
  config: |
    [[runners]]
      [[runners.kubernetes.volumes.config_map]]
        name = "fizz-buzz"
        mount_path = "/etc/gitlab-runner/certs"

Gitlab

FYI, There is an issue here, with this option enabled, the gitlab init container that adds these CAs to the shared mount tries to run as root and Pepr prevents that resulting in a failed init container. I had to add an exemption to make this work. There is probably a better way. /cc @mjnagel 

global:
  certificates:
    customCAs:
      - configMap: fizz-buzz
        keys:
          - ca.pem

Mattermost

mattermostApp:
  extraVolumes:
    - name: ca-certs
      configMap:
        name: fizz-buzz
        defaultMode: 0644
  extraVolumeMounts:
    - name: ca-certs
      mountPath: /etc/ssl/cert.pem
      subPath: ca.pem
      readOnly: true
tworcester commented 2 months ago

I would also like to mention that I don't think this is currently supported with Keycloak. I had to make a kustomize manifest to add a volume/volumeMount and add a kc.sh command line param to point it to the ca.pem file. I set this parameter: --truststore-paths=<path>

Edit: Put the wrong command arg there, fixed.